feat(admin): support env var and security.toml for credentials (#8606)

* feat(security): add [admin] section to security.toml scaffold Add admin credential fields (user, password, readonly.user, readonly.password) to security.toml. Via viper's WEED_ env prefix and AutomaticEnv(), these are automatically overridable as WEED_ADMIN_USER, WEED_ADMIN_PASSWORD, etc. Ref: https://github.com/seaweedfs/seaweedfs/discussions/8586 * feat(admin): support env var and security.toml fallbacks for credentials Add applyViperFallback() to read admin credentials from security.toml / WEED_* environment variables when CLI flags are not explicitly set. This allows systems like NixOS to pass secrets via env vars instead of CLI flags, which appear in process listings. Precedence: CLI flag > env var / security.toml > default value. Also change -adminUser default from "admin" to "" so that credentials are fully opt-in. Ref: https://github.com/seaweedfs/seaweedfs/discussions/8586 * feat(helm): use WEED_ env vars for admin credentials instead of CLI flags Rename SEAWEEDFS_ADMIN_USER/PASSWORD to WEED_ADMIN_USER/PASSWORD so viper picks them up natively. Remove -adminUser/-adminPassword shell expansion from command args since the Go binary now reads these directly via viper. * docs(admin): document env var and security.toml credential support Add environment variable mapping table, security.toml example, and precedence rules to the admin README. * style(security): use nested [admin.readonly] table in security.toml Use a nested TOML table instead of dotted keys for the readonly credentials. More idiomatic and easier to read; no change in how Viper parses it. * fix(admin): use util.GetViper() for env var support and fix README example applyViperFallback() was using viper.GetString() directly, which bypasses the WEED_ env prefix and AutomaticEnv setup that only happens in util.GetViper(). Switch to util.GetViper().GetString() so WEED_ADMIN_* environment variables are actually picked up. Also fix the README example to include WEED_ADMIN_USER alongside WEED_ADMIN_PASSWORD, since runAdmin() rejects an empty username when a password is set. * fix(admin): restore default adminUser to "admin" Defaulting adminUser to "" broke the common flow of setting only WEED_ADMIN_PASSWORD — runAdmin() rejects an empty username when a password is set. Restore "admin" as the default so that setting only the password works out of the box. * docs(admin): align README security.toml example with scaffold format Use nested [admin.readonly] table instead of flat dotted keys to match the format in weed/command/scaffold/security.toml. * docs(admin): remove README.md in favor of wiki page Admin documentation lives at the wiki (Admin-UI.md). Remove the in-repo README to avoid maintaining duplicate docs. --------- Co-authored-by: Copilot <copilot@github.com>
2026-03-11 17:40:24 -07:00
parent 013362d2d3
commit e4a77b8b16
4 changed files with 43 additions and 285 deletions
--- a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
@@ -93,12 +93,12 @@ spec:
          {{- $adminSecretName := .Values.admin.secret.existingSecret | default (printf "%s-admin-secret" (include "seaweedfs.fullname" .)) }}
          env:
            {{- if $adminAuthEnabled }}
-            - name: SEAWEEDFS_ADMIN_USER
+            - name: WEED_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: {{ $adminSecretName }}
                  key: {{ if .Values.admin.secret.existingSecret }}{{ .Values.admin.secret.userKey }}{{ else }}adminUser{{ end }}
-            - name: SEAWEEDFS_ADMIN_PASSWORD
+            - name: WEED_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ $adminSecretName }}
@@ -153,10 +153,6 @@ spec:
              {{- else if .Values.admin.dataDir }}
              -dataDir={{ .Values.admin.dataDir }} \
              {{- end }}
              {{- if $adminAuthEnabled }}
              -adminUser="${SEAWEEDFS_ADMIN_USER}" \
              -adminPassword="${SEAWEEDFS_ADMIN_PASSWORD}" \
              {{- end }}
              {{- if .Values.admin.masters }}
              -masters={{ .Values.admin.masters }}{{- if .Values.admin.extraArgs }} \{{ end }}
              {{- else if .Values.global.masterServer }}
--- a/weed/admin/README.md
+++ b/weed/admin/README.md
@@ -1,279 +0,0 @@
 # SeaweedFS Admin Component
 A modern web-based administration interface for SeaweedFS clusters built with Go, Gin, Templ, and Bootstrap.
 ## Features
 - **Dashboard**: Real-time cluster status and metrics
 - **Master Management**: Monitor master nodes and leadership status
 - **Volume Server Management**: View volume servers, capacity, and health
 - **Object Store Bucket Management**: Create, delete, and manage Object Store buckets with web interface
 - **S3 Tables Management**: Manage table buckets, namespaces, tables, tags, and policies via the admin UI
 - **System Health**: Overall cluster health monitoring
 - **Responsive Design**: Bootstrap-based UI that works on all devices
 - **Authentication**: Optional user authentication with sessions
 - **TLS Support**: HTTPS support for production deployments
 ## Building
 ### Using the Admin Makefile
 The admin component has its own Makefile for development and building:
 ```bash
 # Navigate to admin directory
 cd weed/admin
 # View all available targets
 make help
 # Generate templates and build
 make build
 # Development mode with template watching
 make dev
 # Run the admin server
 make run
 # Clean build artifacts
 make clean
 ```
 ### Using the Root Makefile
 The root SeaweedFS Makefile automatically integrates the admin component:
 ```bash
 # From the root directory
 make install          # Builds weed with admin component
 make full_install     # Full build with all tags
 make test            # Runs tests including admin component
 # Admin-specific targets from root
 make admin-generate  # Generate admin templates
 make admin-build     # Build admin component
 make admin-run       # Run admin server
 make admin-dev       # Development mode
 make admin-clean     # Clean admin artifacts
 ```
 ### Manual Building
 If you prefer to build manually:
 ```bash
 # Install templ compiler
 go install github.com/a-h/templ/cmd/templ@latest
 # Generate templates
 templ generate
 # Build the main weed binary
 cd ../../../
 go build -o weed ./weed
 ```
 ## Development
 ### Template Development
 The admin interface uses [Templ](https://templ.guide/) for type-safe HTML templates:
 ```bash
 # Watch for template changes and auto-regenerate
 make watch
 # Or manually generate templates
 make generate
 # Format templates
 make fmt
 ```
 ### File Structure
 ```
 weed/admin/
 ├── Makefile              # Admin-specific build tasks
 ├── README.md             # This file
 ├── admin.go              # Main application entry point
 ├── dash/                 # Server and handler logic
 │   ├── admin_server.go   # HTTP server setup
 │   ├── handler_admin.go  # Admin dashboard handlers
 │   ├── handler_auth.go   # Authentication handlers
 │   └── middleware.go     # HTTP middleware
 ├── static/               # Static assets
 │   ├── css/admin.css     # Admin-specific styles
 │   └── js/admin.js       # Admin-specific JavaScript
 └── view/                 # Templates
    ├── app/              # Application templates
    │   ├── admin.templ   # Main dashboard template
    │   ├── s3_buckets.templ # Object Store bucket management template
    │   ├── s3tables_*.templ # S3 Tables management templates
    │   └── *_templ.go    # Generated Go code
    └── layout/           # Layout templates
        ├── layout.templ  # Base layout template
        └── layout_templ.go # Generated Go code
 ```
 ### Object Store Management
 The admin interface includes Object Store and S3 Tables management capabilities:
 - Create/delete Object Store buckets and adjust quotas or ownership.
 - Manage S3 Tables buckets, namespaces, and tables.
 - Update S3 Tables policies and tags via the UI and API endpoints.
 ## Usage
 ### Basic Usage
 ```bash
 # Start admin interface on default port (23646)
 weed admin
 # Start with custom configuration
 weed admin -port=8080 -masters="master1:9333,master2:9333"
 # Start with authentication
 weed admin -adminUser=admin -adminPassword=secret123
 # Start with HTTPS
 weed admin -port=443 -tlsCert=/path/to/cert.pem -tlsKey=/path/to/key.pem
 ```
 ### Configuration Options
 | Option | Default | Description |
 |--------|---------|-------------|
 | `-port` | 23646 | Admin server port |
 | `-masters` | localhost:9333 | Comma-separated master servers |
 | `-adminUser` | admin | Admin username (if auth enabled) |
 | `-adminPassword` | "" | Admin password (empty = no auth) |
 | `-tlsCert` | "" | Path to TLS certificate |
 | `-tlsKey` | "" | Path to TLS private key |
 ### Docker Usage
 ```bash
 # Build Docker image with admin component
 make docker-build
 # Run with Docker
 docker run -p 23646:23646 seaweedfs/seaweedfs:latest admin -masters=host.docker.internal:9333
 ```
 ## Development Workflow
 ### Quick Start
 ```bash
 # Clone and setup
 git clone <seaweedfs-repo>
 cd seaweedfs/weed/admin
 # Install dependencies and build
 make install-deps
 make build
 # Start development server
 make dev
 ```
 ### Making Changes
 1. **Template Changes**: Edit `.templ` files in `view/`
   - Templates auto-regenerate in development mode
   - Use `make generate` to manually regenerate
 2. **Go Code Changes**: Edit `.go` files
   - Restart the server to see changes
   - Use `make build` to rebuild
 3. **Static Assets**: Edit files in `static/`
   - Changes are served immediately
 ### Testing
 ```bash
 # Run admin component tests
 make test
 # Run from root directory
 make admin-test
 # Lint code
 make lint
 # Format code
 make fmt
 ```
 ## Production Deployment
 ### Security Considerations
 1. **Authentication**: Always set `adminPassword` in production
 2. **HTTPS**: Use TLS certificates for encrypted connections
 3. **Firewall**: Restrict admin interface access to authorized networks
 ### Example Production Setup
 ```bash
 # Production deployment with security
 weed admin \
  -port=443 \
  -masters="master1:9333,master2:9333,master3:9333" \
  -adminUser=admin \
  -adminPassword=your-secure-password \
  -tlsCert=/etc/ssl/certs/admin.crt \
  -tlsKey=/etc/ssl/private/admin.key
 ```
 ### Monitoring
 The admin interface provides endpoints for monitoring:
 - `GET /health` - Health check endpoint
 - `GET /metrics` - Prometheus metrics (if enabled)
 - `GET /api/status` - JSON status information
 ## Troubleshooting
 ### Common Issues
 1. **Templates not found**: Run `make generate` to create template files
 2. **Build errors**: Ensure `templ` is installed with `make install-templ`
 3. **Static files not loading**: Check that `static/` directory exists and has proper files
 4. **Connection errors**: Verify master and filer addresses are correct
 ### Debug Mode
 ```bash
 # Enable debug logging
 weed -v=2 admin
 # Check generated templates
 ls -la view/app/*_templ.go view/layout/*_templ.go
 ```
 ## Contributing
 1. Fork the repository
 2. Create a feature branch
 3. Make your changes
 4. Run tests: `make test`
 5. Format code: `make fmt`
 6. Submit a pull request
 ## Architecture
 The admin component follows a clean architecture:
 - **Presentation Layer**: Templ templates + Bootstrap CSS
 - **HTTP Layer**: Gin router with middleware
 - **Business Logic**: Handler functions in `dash/` package
 - **Data Layer**: Communicates with SeaweedFS masters and filers
 This separation makes the code maintainable and testable. 
--- a/weed/command/admin.go
+++ b/weed/command/admin.go
@@ -17,6 +17,8 @@ import (
 	"syscall"
 	"time"
 	flag "github.com/seaweedfs/seaweedfs/weed/util/fla9"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/spf13/viper"
@@ -98,6 +100,9 @@ var cmdAdmin = &Command{
    - IMPORTANT: When read-only credentials are configured, adminPassword MUST also be set
    - This ensures an admin account exists to manage and authorize read-only access
    - Sessions are secured with auto-generated session keys
    - Credentials can also be set via security.toml [admin] section or environment variables:
      WEED_ADMIN_USER, WEED_ADMIN_PASSWORD, WEED_ADMIN_READONLY_USER, WEED_ADMIN_READONLY_PASSWORD
    - Precedence: CLI flag > env var / security.toml > default value
  Security Configuration:
    - The admin server reads TLS configuration from security.toml
@@ -137,6 +142,13 @@ func runAdmin(cmd *Command, args []string) bool {
 	// Load security configuration
 	util.LoadSecurityConfiguration()
 	// Apply security.toml / env var fallbacks for credential flags.
 	// CLI flags take precedence over security.toml / WEED_* env vars.
 	applyViperFallback(cmd, a.adminUser, "adminUser", "admin.user")
 	applyViperFallback(cmd, a.adminPassword, "adminPassword", "admin.password")
 	applyViperFallback(cmd, a.readOnlyUser, "readOnlyUser", "admin.readonly.user")
 	applyViperFallback(cmd, a.readOnlyPassword, "readOnlyPassword", "admin.readonly.password")
 	// Backward compatibility: if -masters is provided, use it
 	if *a.masters != "" {
 		*a.master = *a.masters
@@ -534,6 +546,22 @@ func loadOrGenerateSessionKeys(dataDir string) ([]byte, []byte, error) {
 	return key[:keyLen], key[keyLen:], nil
 }
 // applyViperFallback sets a flag's value from viper (security.toml / env var)
 // when the flag was not explicitly set on the command line.
 func applyViperFallback(cmd *Command, flagPtr *string, flagName, viperKey string) {
 	explicitlySet := false
 	cmd.Flag.Visit(func(f *flag.Flag) {
 		if f.Name == flagName {
 			explicitlySet = true
 		}
 	})
 	if !explicitlySet {
 		if v := util.GetViper().GetString(viperKey); v != "" {
 			*flagPtr = v
 		}
 	}
 }
 // expandHomeDir expands the tilde (~) in a path to the user's home directory
 func expandHomeDir(path string) (string, error) {
 	if path == "" {
--- a/weed/command/scaffold/security.toml
+++ b/weed/command/scaffold/security.toml
@@ -165,6 +165,19 @@ cert = ""
 key = ""
 ca = ""
 # Admin server authentication
 # If password is set, users must login to access the admin interface
 # These can be overridden by environment variables with WEED_ prefix:
 #   WEED_ADMIN_USER, WEED_ADMIN_PASSWORD
 #   WEED_ADMIN_READONLY_USER, WEED_ADMIN_READONLY_PASSWORD
 [admin]
 user = ""
 password = ""
 [admin.readonly]
 user = ""
 password = ""
 # white list. It's checking request ip address.
 [guard]
 white_list = ""